Hi Splunkers, I have to perform a UF config and I don't know if some problem could rise. Let me explain better.
For a customer, we are collecting data from Windows Systems using UF. All selected logs come fine. Now, we have to collect logs from Windows DNS query; they are collected in debug mode and, then, stored in a path.
So, before any UF or Splunk action, the flow is:
Win DNS set on debug mode -> Log forwarded on a server -> Logs stored on server's path.
Due the high volume of collected store, on that server there are 2 scripts that follow a retention policy and, in a nutshell, delete logs older than 1 day. This because when DNS forward logs, write a file of maximum 500 MB and then another one is created. So, files are writed until threshold is reached.
Due we want use UF to monitor that path, our customer asked us its behavior regarding file monitoring; his doubt is how UF works when monitoring file, expecially the current writing one.
My knoledge is that UF should work exactely any other Data Input File & Directory monitoring: if we tell, in inputs.conf stanza, "monitor path X" it shuld simply monitor each file in a sequential manner; am I right?
You are correct.
You are correct.